Simple Hybrid Voice Deployments
Matt Hurst
Technical Director EMEA
Firstly…..Why CCE Hybrid?
SfB with PSTN/EV Deployment Options
“Cloud PBX”in Office 365
PSTN services provided by
Microsoft
User homed on ‘Cloud PBX’ in
Office 365
PSTN via On Prem CCE &
SBC
Skype for Business Server
and PSTN services 100% on-premises
Online Hybrid On Premises
TDM PBX/IP-PBX &
Voicemail
Analog phones
Analog fax
machine
Local SIP
Carrier
PSTN
SIP Trunk
to ITSP #2
“Drop in” installation
Painless interconnect to PBX and Skype for
Business O365, enabling co-existence and simple
migration using AD
Legacy Support
Analogue and FAX tightly integrated
SBC Functionality
Security & Demark Protocol and transcoding
support
SIP Registrar
Standard SIP devices can register and interconnect
CCE
Office 365Microsoft Office and Exchange
Hybrid Benefit - Integration & Migration
5
ITSP UK
Multi-Site, Multi-Country, Mixed Deployments
Multi-Site Deployments using Hybrid
• Meet local regulatory requirements
• Provide integration to each site’s needs
• Maintain or choose provider country by country
CCEOffice 365
Microsoft Office and Exchange
London
ITSP
Japan
CCE
TokyoPSTN
New York
6 Confidential and Proprietary – NDA use only
• Set of 4 VMs (Domain Controller, Central Management Store, Mediation and Edge server) installed on customer hardware
• Enables Cloud PBX users to use on-premises PSTN / PBX resources
• Supports up to 50 or 500 concurrent calls
Microsoft Cloud Connector Edition
(CCE) is software that provides PSTN and PBX connectivity
through Office 365
• Windows Server 2012 R2 ISO image (Standard or Data Center edition)
• Local server administrator account with permissions to install / configure Hyper-V on host servers
• Qualified SBC/Gateway (minimum of two recommended)
• Internet / Express Route connection for deployment
General Requirements
What is Microsoft Cloud Connector Edition (CCE)?
7 Confidential and Proprietary – NDA use only
User and call control in O365
Mediation server and SBC/GW on premise
Placed in DMZ
2 NICs’ one DMZ, other internal for media
One CCE per Tenant
Media is kept local provided the recommended firewall rules are used
CCE Architecture
8 Confidential and Proprietary – NDA use only
A Minimal Topology (minTop)– The minimum components required to run a
Mediation server
No SBA
No local users / registrar
Could change in future releases
– Fixed set of 4 VM’s
– Automatically updates
– 100% managed through O365
No local administration other than deployment
– Independent from Company AD etc
Separate dedicated forest and DNS zone
CCE Virtual Machine Details
9 Confidential and Proprietary – NDA use only
CCE is stateless– Calls are load balanced across
multiple CCE’s in a site
– If the CCE goes down the calls are re-built on the remaining devices
– SBC/GW’s work in Active / Active to CCE
High Availability
10 Confidential and Proprietary – NDA use only
Each user is configured with “Gateway Affinity”
All calls will be made and received through the users home site, even when traveling
Multiple Sites
11 Confidential and Proprietary – NDA use only
Internal Firewall Rules
Source IP Destination IP Source Port Destination Port
Cloud Connector
Mediation component
SBC/PSTN Gateway Any TCP 5060**
SBC/PSTN Gateway Cloud Connector
Mediation component
Any TCP 5068/ TLS 5067
Cloud Connector
Mediation component
SBC/PSTN Gateway UDP 49 152 – 57 500 Any***
SBC/PSTN Gateway Cloud Connector
Mediation component
Any*** UDP 49 152 – 57 500
Cloud Connector
Mediation component
Internal clients TCP 49 152 – 57 500* TCP 50,000-50,019
(Optional)
Cloud Connector
Mediation component
Internal clients UDP 49 152 – 57 500* UDP 50,000-50,019
Internal clients Cloud Connector
Mediation component
TCP 50,000-50,019 TCP 49 152 – 57 500*
Internal clients Cloud Connector
Mediation component
UDP 50,000-50,019 UDP 49 152 -57 500*
Firewall Considerations
External Firewall Rules
Source IP Destination IP Source port Destination port
Any Cloud Connector
Edge External
Interface
Any TCP 5061
Cloud Connector
Edge External
Interface
Any Any TCP 5061
Cloud Connector
Edge External
Interface
Any Any TCP 80
Cloud Connector
Edge External
Interface
Any Any UDP 53
Cloud Connector
Edge External
Interface
Any Any TCP 53
Cloud Connector
Edge External
Interface
Any UDP 3478 UDP 3478
Any Cloud Connector
Edge External
Interface
TCP 50,000-59,999 TCP 443
Any Cloud Connector
Edge External
Interface
UDP 3478 UDP 3478
Cloud Connector
Edge External
Interface
Any TCP 50,000-59,999 TCP 443
From Skype for Business On Premiseto Cloud PBX with CCE
13
Skype for Business On Premise
Confidential and Proprietary
Skype for BusinessUser
Skype for BusinessUser
Front-End role
PSTN PSTN GWSonus EDGE
Mediation role
DomainController
CentralManagement Store (CMS)
EDGE role
Skype for BusinessUser
External
Firewall
14
From OnPrem to Cloud Connector Edition
Confidential and Proprietary
Skype for BusinessUser
Skype for BusinessUser
Front-End role
PSTN PSTN GWSonus EDGE
Mediation role
DomainController
CentralManagement Store (CMS)
EDGE role
Skype for BusinessUser
DomainController
Skype for BusinessOnline user in
internal network
Skype for BusinessOnline user in internet
Skype for BusinessOnline infrastructure
External
Firewall
Internal
Firewall
Cloud PBX
Sonus CloudLink
16 Confidential and Proprietary – NDA use only
Sonus Cloud Link Appliance
Independently tested, award winning low to mid-range capacity Session Border Controllers for enterprise premise deployments
SBC 1000 & SBC 2000CCE Offering
Up to 500 CCE sessions on a single appliance
– COM Express module (“ASM”) with state of the art server class CPU, memory, SSD
– SBC capacity up to 600 sessions
Unparalleled TDM and analog port options
– 16 PRI, 48 FXS in single appliance
– Rich PRI, FXS, FXO, BRI port mix
Easy configuration wizard to speed CCE deployment
Secure architecture to minimize service disruption
17 Confidential and Proprietary – NDA use only
Sonus SBC 1000/2000
CCE ASMSBC
Ethernet
Private protocol over internal Ethernet
Web Server
WS2012 R2 Base OS
FXS FXO BRI PRI
How Does Sonus Cloud Link Work?
UX Comms runs on the base OS– Deploys and manages the VM’s
– Provides information back to the SBC UI for operational status
UX
Comms
19 Confidential and Proprietary – NDA use only
Sonus SBC 1000/2000
CCE ASMSBC
Ethernet
Private protocol over internal Ethernet
Web Server
WS2012 R2 Base OS
FXS FXO BRI PRI
Auto Update - Sonus Cloud Link CCE
4 VM’s are running on the previous release
Host CCE process downloads new VM’s
New VM’s are brought up – grace license. Old VM’s are shut down
V-Switch is moved to the new VM’s
UX Comms is notified about the update – UI is updated
UX
Comms X
20
ASM CPU:
– 8 Cores, 16 thread “Broadwell” Xeon® CPU
for embedded platforms
– SSD 512GB HDD
• ASM Server blade CPU is LATEST Technology
• We offer 16 threads within the Broadwell CPU
• We can allocate enough vCPU threads to the Mediation server (Media Transcode for CCE)
• We allocate 1 x vCPU thread for the other 3 MV’s
• + 1vCPU x 4VM during Auto-Update = 16 vCPU threads
• Therefore we can SCALE correctly to the 500 sessions (vCPU threads to Mediation VM determines
this) even during auto-update – no performance impact during auto-update.
• No sharing of vCPU threads (Thread sharing between VM’s can have serious performance impact)
Application Solution Module (ASM) for Cloud Link Cloud Connector Edition Deployments
21
Cloud Connector Edition – SBC1k Architecture
22
Cloud Connector Edition – SBC 2k Architecture
CCE Appliance Benefits
24
Non-Sonus Cloud Connector Edition Installation is Lengthy
* Source: https://blogs.technet.microsoft.com/nexthop/2016/05/11/cloud-connector-edition-smaller-hardware
Confidential and Proprietary
Installation understand process follows Microsoft® Cloud Connector Edition installation instructions
– Get CCE bits (Hyper-V, CloudConnector.msi, Windows Server ISO) on Host Server (~40 min)
– Create virtual switch adapter (5 min)– Create VHD using CloudConnector.msi and
WS2012R2 ISO (4 hours)– Complete an answer file (.ini) with customer
information (45 fields, 20 min)– Create file share to host certificate and
configuration exchange between Host/VM and HostHA1/HostHA2 (10 min)
– Import certificate for CCE EDGE (~45 min)– Deploy the CCE VM on the host (2 hours)– Configure gateway– Activate your O365 tenant for hybrid capability– Create a PSTN site to assign the user
Install procedure may take 7+ hours at every site (Increased OPEX)
25
Sonus Cloud Link – CCE solution 6.1
Confidential and Proprietary
Faster deployment
CCE Setup Wizard
End User oriented
Partner oriented
HA support
Pre-loaded Package
Easy configuration template
More secure and reliable
Preconfigured firewall
Environment validator
Logs helper
26
Sonus Cloud Link – CCE Setup Wizard
5 straightforward tabs to click through
Key configuration settings
– ASM Configuration
– Generate CSR or Import Signed CSR Easily
– Configure CCE Assign external IP addresses for
Mediation and Edge servers
Configure number of concurrent calls
Configure CCE High Availability (HA)
HA Master
HA Slave
Deploy CCE VM!
Sonus Cloud Link may reduce CCE install time by 5+ hours, with no additional
software downloadsConfidential and Proprietary
27
Enhanced SBC Config Wizards
New SBC Cloud Connector Edition template
Inherits information from CCE– Minimizes time and errors
Customized for your CCE deployment
Optimized for CCE performance
Optimized for CCE security
28
Preparing for CCE deployment
29 Confidential and Proprietary – FOR INTERNAL INFORMATION PURPOSES ONLY
CCE – Network Architecture
External
Firewall
Internal
Firewall
30 Confidential and Proprietary – FOR INTERNAL INFORMATION PURPOSES ONLY
CCE – Network Architecture
External
Firewall
Internal
Firewall
32 Confidential and Proprietary – FOR INTERNAL INFORMATION PURPOSES ONLY
Cloud Tenant, Public Domain and DNS
An Office 365 Tenant with E5, or E3 + Cloud PBX option
Licenses
– Microsoft subscription
A Global or Skype Online Administrator Account on your
Office 365 Tenant
– Can be configured when creating your Office365 account
A public Domain Name associated with your Office 365
Tenant.
– From any vendor and associated on Office365 portal
A public IP for the CCE (Edge External Side).
– Delivered by customer IT or Internet Provider
A DNS Record on the Public Domain forwarding to this
public IP.
33 Confidential and Proprietary – FOR INTERNAL INFORMATION PURPOSES ONLY
CCE Firewall
Internal firewall
– From Intern User to CCE
UDP/TCP 49 152 - 57 500
– From CCE to Intern User
TCP 50,000-50,019
UDP 50,000-50,019
External firewall
– From Public to CCE
TCP 5061
TCP 443
UDP 3478
– From CCE to Public
TCP 5061
TCP 80
UDP/TCP 53
UDP 3478
External
Firewall
Internal
Firewall
34 Confidential and Proprietary – FOR INTERNAL INFORMATION PURPOSES ONLY
Certificate
A certificate (X509) is:
– An electronic “passport" signed by an Authority
– Allowing to exchange information securely over a network
– Using a Trusted Chain (PKI).
– Allowing to link a Public Key to an FQDN (or an email)
A certificate contains:
– The Name (FQDN) of the Authority that sign it
– A validity
Not Before
Not After
– The Name (FQDN or email) of the computer or user
– The public Key of the computer or user
CCE Call Flows
36
Cloud Connector Edition
Confidential and Proprietary
37
CCE – Incoming Call to an Internal User
Confidential and Proprietary
38
CCE – Outgoing Call from an Internal User
Confidential and Proprietary
40
CCE – Extern User With Recommended Firewall
Confidential and Proprietary
Redundancy, Multi Site and Auto-Updates
42 Confidential and Proprietary
CCE – Deployment scenarios
Multi site deployment
45
O365 Tenant organization
Confidential and Proprietary
HybridPSTN
Site
Tenant
HybridPSTN
Appliance
SiteName
FQDN EDGE
Update Managment
HybridPSTN
Appliance
HybridPSTN
Site
HybridPSTN
Appliance
CCE Hostname
Deployment state
Update state
User 2User 1
46
O365 Tenant organization
Confidential and Proprietary
HybridPSTNSite and HybridPSTNAppliance are created
automatically when registering CCE during deployment
They can be display and managed from Office365 Tenant
Powershell:
All the HybridPSTNAppliance on a site are High Availability
– User will use randomly the HybridPSTNAppliance
All the HybridPSTNSite are independant
– If all the Appliance on a HybridPSTNSite are down, User assigned to
this HybridPSTNSite loses service
47
Auto-Update – IMPORTANT!!
User configures the tenant HybridSite with time window
Can NOT be stopped – Default is ANYTIME!
Will be executed 1by1 on HA deployment
Windows Update
– Apply update VM
– Drain Call
– Reboot VM
– Apply Update Host
– Reboot Host
CCE Update
– Build a new set of 4 VM from scratch
– Once new set is ready, retire the previous version pack of VM
https://support.sonus.net/display/UXDOC61/Managing+Your+Office+365+Tenant
UPDATE!
Manual Windows OS Updates now
supported:
https://technet.microsoft.com/EN-
US/library/mt740658.aspx
48
O365 Tenant Portal – Checking Update Status
Confidential and Proprietary
Basic information about Site and Appliance:
Basic User management:
Thank You